SSL instructions for Amazon EC2 server, LINUX, Tomcat, Godaddy certificates



IMPORTANT UPDATE TO VIDEO
The video states that you can download a new, rekeyed certificate from GoDaddy as soon as a new line appears in the history. This is not true, you must wait some number of hours before rekeyed new certs are available. Only true on rekeys, not new keys.

So the full steps for the process are thus:

CREATE A NEW DIRECTORY IN WHICH TO PREPARE THE KEYSTORE! Cd to new directory.

CREATE THE KEYSTORE

keytool -genkeypair -keystore bourne.keystore -keypass bourne -storepass bourne -keyalg RSA -keysize 2048 -alias tomcat -deststoretype pkcs12

For FirstName/LastName: www.example.com
Then anything for department
Organization Put the full name in for human reading consumption
City SOUTH EASTON
State MASSACHUSETTS
Defaults the rest (US)

GENERATE THE CSR (THE REQUEST FOR A NEW KEY FOR GODADDY)
keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore bourne.keystore

This will create a csr.csr file in the same folder. Type (e.g. cat csr.csr) it out, the copy everything into the clipboard.

Go to the GoDaddy site. FROM THE GODADDY HOMEPAGE, under the user name find “My Products”. The under SSL CERTIFICATES, use the “Manage” button.

Generate or rekey the certificate. Paste the CSR into the csr input field. Select your domain options, generate the certificate.

To confirm that the certificate is ready, go back to the QUICK LINK for Manage SSL Certificates again and choose HISTORY on the SSL management page. You should see the new certificate on the top of the history list. If yes, go back to the Manage SSL Certificates page and Download the ZIP file. You will have to choose the Web Application Server (currently TOMCAT).

Get the GoDaddy root cert gdroot-g2.crt from their repository ( This is not in the ZIP file you downloaded with stuff related to our specific certificate! I also get the intermediary key from the repository, too. That’s gdig2.crt.

I upload the ZIP to my server before I unzip. Also upload the GoDaddy root cert gdroot-g2.crt and intermediate cert gdig2.crt. SSH to the server and move the ZIP and GoDaddy root to the folder holding the keystore. Unzip the ZIP file. You’ll get 3 .crt files from it:

gd_bundle-g2-g1.crt – A bundle of other keys used to overcome a Java problem with SHA1 and SHA2 (I don’t use it).
gdig2.crt.pem – Intermediate cert but PEM format (I don’t use this either)
14randomchar.crt – Your private key/cert

INSTALL THE CERTS
Make sure you use these aliases (especially the tomcat alias on your private key cert, the last one)

FIRST, THE GODADDY ROOT
keytool -import -alias root -keystore bourne.keystore -trustcacerts -file gdroot-g2.crt

NEXT, THE INTERMEDIATE
keytool -import -alias intermed -keystore bourne.keystore -trustcacerts -file gdig2.crt

FINALLY, YOUR PRIVATE KEY (change the filename to what is appropriate from the ZIP)
keytool -import -alias tomcat -keystore bourne.keystore -file 529e3d67f9bee86f.crt

Your keystore should be ready. I like to list it’s contents:
keytool -list -v -keystore bourne.keystore

Or non-verbose:
keytool -list -keystore bourne.keystore

For non-verbose, I see this:
—————————————————————————–
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

root, Mar 23, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
tomcat, Mar 23, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 1C:B4:8A:61:AE:A8:F7:15:AC:9F:7D:EC:30:3A:F5:A9:E6:E3:C2:6D
intermed, Mar 23, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
—————————————————————————–

Change the ownership on the keystore:
sudo chown tomcat:tomcat bourne.keystore

Change the permissions on the keystore:
sudo chmod 644 bourne.keystore

Check it:
ls -al bourne.keystore
-rw-r–r– 1 tomcat tomcat 7215 Mar 23 18:21 bourne.keystore

Configure tomcat’s server.xml file (Located on my server in /usr/share/tomcat8/conf/server.xml)
The parenthesis are actually angle brackets, but Youtube does not permit those in comments. So make them XML angle brackets for open/close.

(Connector port=”8443″ maxThreads=”150″
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreFile=”/etc/tomcat8/bourne.keystore” keystorePass=”bourne”
clientAuth=”false” sslProtocol=”TLS”)
(/Connector)

You may need to forward port 443 to 8443 (IF YOU update software using “yum update”, it can reset iptables)

Copy the keystore to where you reference it in server.xml

sudo cp bourne.keystore /etc/tomcat8

sudo ls -al /etc/tomcat8/bourne.keystore
-rw-r–r– 1 tomcat tomcat 7215 Mar 23 18:21 bourne.keystore

Restart tomcat
sudo service tomcat8 restart

Test:

/end

Nguồn: https://hip-hop-music-classic.com

Xem thêm bài viết khác: https://hip-hop-music-classic.com/tong-hop/

13 thoughts on “SSL instructions for Amazon EC2 server, LINUX, Tomcat, Godaddy certificates

  1. Hii I forget to generate keystoree in starting I generated .csr without add keystore and then generate ssl on go Daddy with .csr so we need to create certificate again aur how to use keystore in .csr after getting certificate

  2. Hey Joe, thanks for this information, I was struggling to setup a SSL into my Amazon Ec2, I just fallowed step by step your video and everything is working good. Thanks a lot !!! God bless you. Regards from Mexico

  3. Hi Boston Joe.
    I have an Apache server on Amazon EC2. My Godaddy SSL cert expired in June. I renewed it, but I just can't seem to get it installed. Can you help me? It seems that you also have Tomcat knowledge. I also have a Tomcat server at EC2 which is running but is not accessible on the internet. Perhaps you could help me with that server also. Please reply. Thanks

  4. my private key is changed when i was installing ssl for nginx. how can i import this private key in my bourne.keystore file and remove old crt (private file)

  5. Hello Boston,
    What password are we suppose to give after this command 'keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore bourne.keystore'?

    Thanks for your video 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *